Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics:docker-caddy [2024/01/08 20:26] – angelegt obel1x
+++ content:serverbasics:docker-caddy [2025/06/05 23:27] (aktuell) – [Create Caddy Yaml] obel1x
@@ Zeile 3: / Zeile 3: @@
 Caddy is a powerful full featured webserver, which is also easy to use and setup.
-In this guide i will show how to use Caddy as SSL- Proxy for your services to deliver them to the internet via name- based virtual hosting.
+In this guide i will show how to use Caddy as SSL- Reverse- Proxy for your services to deliver them to the internet via name- based virtual hosting.
 ===== Prerequisites =====
@@ Zeile 11: / Zeile 11: @@
 ===== DNS- Records =====
-You will also need a domainname like ''my.domain.tld'' and hostnames, that are resolvable for each service, so that ''service.my.domain.tld'' can be resolved from out of - and in the internet to point to your Server. If you do not have them already, this is how to get them.
+You will also need a domainname like ''my.domain.tld'' and hostnames, that are resolvable for each service, so that ''service.my.domain.tld'' can be resolved from out of - and in the internet to point to your Server. If you do not have them already, read here: [[.:network-dyndns|]]
-==== Register some Domain ====
-There are many free Domainproviders out there. I chose dynv6 ( [[https://dynv6.com|https://dynv6.com]] ), but this should work with any of them.
+When your service sucessfully resolves, you can use it in Caddy as written beneath.
-bla (not ready) blah - setup IPV4 , setup IPV6, bla link to [[.:network-dyndns|https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:network-dyndns|]]
-==== Define services ====
-After that, create an A-Name record (or AAAA- Name for ipv6) per service without specifying the ip, som that the dynamic ip of the domain will be taken.
 ===== Create Caddy Yaml =====
@@ Zeile 30: / Zeile 23: @@
 For me, this would be ''mkdir /srv/docker-compose/caddy'' \\
 Change to that directory and create the following docker-compose.yml file in it, putting in the following:
-<file>
-version: "3.8"
+<file>
 services:
   caddy:
@@ Zeile 48: / Zeile 39: @@
     cap_add:
       - NET_ADMIN
-# initially i wanted to make networkmode host to acces ports on locahost directly
+    healthcheck:
-# it turned out not to work in rootless- mode for security reasons
+      test: "wget --no-verbose --tries=1 --spider https://www.servername.domainname.tld || exit 1"
-# so don't use host- mode. to access local services take the hostname directly, maybe define it static and add it to /etc/hosts
+      interval: "60s"
-# e.g. pcserver:9000 - mind, that the port must be pubilshed by the other containers to the host
+      timeout: "3s"
-# NOT localhost:9000 - this is prevented by docker in rootless- mode !
+      start_period: "5s"
+      retries: 3
+# Be sure, that docker daemon has access to unprivileged ports (beneath 1024)
+# This can be archived by:
+# setcap cap_net_bind_service=+ep /usr/bin/rootlesskit
+#
+# To access local services, take the hostname directly, maybe define it static and add it to /etc/hosts on the host
+# Mind, that the ports must be pubilshed by the other containers to the host via ports or expose, or add them to the network
+# e.g. pcserver:9000 !!! NOT: !!! localhost:9000 - this is prevented by docker in rootless- mode !
+#Do NOT use networkmode: "host", this will fail (Acme: Connection refused)!
 #    network_mode: "host"
-# set /etc/sysctl.conf to allow Port 80 and 443 with
-# net.ipv4.ip_unprivileged_port_start = 80
-# net.ipv4.ip_unprivileged_port_start = 443
     ports:
       - "80:80"
@@ Zeile 64: / Zeile 61: @@
 volumes:
   caddy_data:
-    driver: local
-    driver_opts:
-      device: ""
-      type: ""
-      o: "umask=0007"
   caddy_config:
-    driver: local
-    driver_opts:
-      device: ""
-      type: ""
-      o: "umask=0007"
   caddy_certs:
-    driver: local
-    driver_opts:
-      device: ""
-      type: ""
-      o: "umask=0007"
   caddy_sites:
-    driver: local
-    driver_opts:
+networks:
-      device: ""
+# Still needs to be defined while without it won't enable ipv6
-      type: ""
+  default:
-      o: "umask=0007"
+    driver: bridge
+    enable_ipv6: true
 </file>
+Also, check that your Firewall has those Port 80 + 443 open on your host and that Port Forwarding in your Router is enabled for ipv4 and for ipv6.
 ===== Caddy Configuration =====
 if you omit the Caddyfile, the server will already work, but we can directly Skip those tests and create the file ''Caddyfile'' in that folder too with the following content:
 <file>
-https://portainer.obel1x.dynv6.net:443 {
+https://portainer.my.domain.tld:443 {
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy pcserver2023:9000
+        reverse_proxy mylocalhostname:9000
 }
 </file>
+replace //mylocalhostname// with your actual hostname (can be found out by calling hostname in your terminal).
+Don't use localhost - see above. If you do not have a clue which hostname you have, better specify some fixed one which you can freely chose and edit ''/etc/hosts'' to have that name point to your local ip.
+===== Fetch and run the Caddy Container =====
+Thats all - use ''docker-compose up -d'' to start your container. In the Container- Logs you will see Caddy automagically create SSL- Certificates from lets encrypt if everything was setup the right way. Caddy will take care of renewal without the need to configure anything.
+If the Caddy doe not return any Errors, you now have a powerful proxy, that can transparently deliver your Dockers to the world with SSL- encryption enabled.